Summary:
A financially motivated threat actor from Brazil is targeting Spanish and Portuguese-speaking individuals in Portugal, Mexico, and Peru. They use LOLBaS (living-off-the-land binaries and scripts) and CMD-based scripts to steal online banking credentials through phishing emails and social engineering. By posing as authoritative entities, they deceive victims into revealing their login information. The threat actor in this campaign uses CMD-based scripts, AutoIt scripts, and LOLBaS techniques to evade security measures and compromise online banking accounts. They target Spanish and Portuguese-speaking individuals in Portugal, Mexico, and Peru, taking advantage of the high usage of online banking in these regions.
The campaign starts with phishing emails titled "Multa de Trânsito" (traffic infraction ticket) in Portuguese, using scare tactics to prompt users to open an HTML attachment. The attachment contains a large ".CMD" file with encoded data and instructions. The file runs an AutoIt script that downloads and executes a ".VBS" file. It steals Outlook data and Chrome passwords, sending the stolen information to the attacker's command and control server.
The phishing and command and control infrastructure use multiple domains and fast flux services, making it challenging to track and analyze traffic. The threat actor's identity is difficult to trace due to obscured registration data. To defend against LOLBaS, organizations should implement a multi-layered strategy involving robust endpoint security, least privilege enforcement, security awareness training, and continuous monitoring of system logs for unusual activities.
Threat Profile:
References:
The following reports contain further technical details:
https://thehackernews.com/2023/06/brazilian-cybercriminals-using-lolbas.html